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1. PURPOSE 

• To provide guidance regarding the management of risk 

• To support the achievement of corporate objectives 

• To protect staff and business assets 

• To ensure financial sustainability. 

2. SCOPE 

This policy applies to all municipal activities. It forms part of governance framework and is 

applicable to all employees, contractors and volunteers. 

3. DEFINITIONS 

a) Risk -means the likelihood of a threat materializing by exploitation of an event or 
incident to create vulnerability (the effect of uncertainty on objectives) 

b) Risk register- A database of the risks that an organization is exposed to. 

c) Risk appetite - Is the maximum amount of risk that the institution is able to accept 
in line with government priorities, its strategic goals, without exposing it to the point 
where its survival is under threat and faces financial constraints. 

d) Risk analysis-A systemic use of available information to determine how often 
specified events may occur and the magnitude of their consequences. 

e) Risk Assessments- “Risk assessment involves a dynamic and iterative process 
for identifying and analyzing risks to achieving the entity’s objectives, forming a 
basis for determining how risks shall be managed. 

f) Risk strategy -Is the plan to ensure that the institution is operating within its risk 
appetite. 

g) Risk Evaluation- The process used to determine risk management priorities by 
comparing the level of risk against the likelihood and consequences. 

h) Risk Management- Is the process of analyzing and assessing exposure to risk and 
determining how best to manage exposure to limit or even eliminate the risks. 

i) Risk Management Process- Involves the identification, assessment, and 
prioritization of the risks and the application of resources to minimize, monitor and 
control the probability and/or impact of the negative occurrence. 

4. LEGISLATIVE MANDATES 

a) Municipal Finance Management Act (Act 56 of 2003) (MFMA) 

b) Public Sector Risk Management Framework 

c) The King V Report on Corporate Governance 

RISK MANAGEMENT POLICY Page 3 









d) ISO 31000 

e) COSO Framework 

f) Occupational Health and Safety Act (Act 85 of 1996) 

5. RISK MANAGEMENT OBJECTIVES 

a) To minimize harm to the physical, human, fiscal and environmental resources, and 
minimize the total cost of risk 

b) To minimize harm and the cost of risk 

c) To avoid unnecessary or unreasonable exposures to the extent practicable 

d) To take all reasonable and practical steps to prevent harmful events and losses 

e) To initiate reasonable and appropriate loss control techniques to control the 
frequency and severity of those losses that are unavoidable 

6. RISK MANAGEMENT AND INTERNAL CONTROLS 

a) The municipality shall ensure that its risk management framework is responsive to 
changes in or expansion of business activities, and developments in the operating 
environment 

b) The framework shall support the ability of municipality to anticipate and react 
quickly to new or emerging risks 

c) When developing strategies or responses to mitigate risks, consideration shall be 
given to the impact of the chosen mitigation strategy on other risks, directly or 
indirectly. These shall be explicitly considered and accounted for, to avoid giving 
rise to new unattended risks 

7. RISK CULTURE OR CONTROL ENVIRONMENT 

a) The council and management shall ensure that risk management activity is not 
carried out in isolation but is well-integrated throughout the organization 

b) The municipality shall promote the awareness and understanding of risks 
throughout the institution. 

8. RISK APPETITE. 

a) The risk appetite shall be clearly stated and articulated so that it informs 
management decisions. 

b) In accordance with MFMA, the municipality shall have low risk appetite for all forms 
of loss resulting from negligence and wasteful or fruitless expenditure 
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c) Risk appetite shall be determined and quantified using data that has been 
produced overtime for that particular risk or risk event. 

d) The risk appetite shall be consistent with the skills and resources available within 
the municipality to manage and monitor risk exposures. 

e) The risk appetite shall address the major types of risk that the municipality needs to 
manage and the tolerance levels around specific risks that are acceptable to the 
municipality in executing its business strategy 

9. RISK ASSESSMENT METHODOLOGY 

Risk assessment techniques 

a) Questionnaires and checklists - Use of structured questionnaires and checklists to 
collect information to assist with the recognition of the significant risks 

b) Workshops and brainstorming- Collection and sharing of ideas and discussion of 
the events that could impact the objectives, stakeholder expectations or key 
dependencies 

c) Inspections and audits - Physical inspections of premises and activities and audits 
of compliance with established systems and procedures 

d) Flowcharts and dependency - Analysis of processes and operations within the 
analysis organisation to identify critical components that are key to success 

e) SWOT and PESTLE analyses - strengths weaknesses opportunities threats 
(SWOT) and political economic social technological legal environmental (PESTLE) 
analyses offer structured approaches to risk recognition 


The following rating tables are used to assess the potential impact of risks Impact 

Impact is the extent of damage or loss that the municipality may incur in the event that the 
risk occurs. 


Rating 

Assessment 

Definition 

1 

Insignificant 

Negative outcomes or missed opportunities that are iikeiy to have a 

negiigibie impact on the abiiity to meet objectives. 

2 

Minor 

Negative outcomes or missed opportunities that are iikeiy to have a 

reiativeiy iow impact on the abiiity to meet objectives. 

3 

Moderate 

Negative outcomes or missed opportunities that are iikeiy to have a 

reiativeiy moderate impact on the abiiity to meet objectives 

4 

Major 

Negative outcomes or missed opportunities that are iikeiy to have a 

reiativeiy substantiai impact on the abiiity to meet objectives. 

5 

Criticai 

Negative outcomes or missed opportunities that are of criticai 


RISK MANAGEMENT POLICY Page 5 




















importance to the achievement of the objectives. 


Likelihood 

Likelihood answers the question - what are the chances of the risk occurring? 


Rating 

Assessment 

Definition 

1 

Rare 

The risk is conceivable but is only likely to occur in 

extreme circumstances 

2 

Unlikely 

The risk occurs infrequently and is unlikely to occur 

within the next 3 years 

3 

Moderate 

There is an above average chance that the risk will 

occur at least once in the next 3 years 

4 

Likely 

The risk could easily occur, and is likely to occur at 

least once within the next 12 months 

5 

Common 

The risk is already occurring, or is likely to occur 

more than once within the next 12 months 


Perceived control effectiveness and risk exposure at residual level 


Effectiveness category 

Category definition 

Factor 

Very good 

Risk exposure is effectively controlled and 
managed 

20% 

Good 

Majority of risk exposure is effectively 
controlled and managed 

40% 

Satisfactory 

There is room for some improvement 

65% 

Weak 

Some of the risk exposure appears to be 
controlled, but there are major deficiencies 

80% 

Unsatisfactory 

Control measures are ineffective 

90% 
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Inherent risk exposure (impact x iikeiihood 

The rating table will be utilised to categorise the various levels of inherent risk. 


Risk rating 


8-14 


inherent risk 
magnitude 


Response 



Medium 


Unacceptable level of risk, except under unique 
circumstances or conditions - Moderate level of control 
intervention required to achieve an acceptable level of 
residual risk 


1 -7 


Low 


Mostly acceptable 
required, if any. 


Low level of control intervention 


Residual risk exposure (inherent risk x control effectiveness) 

The following is an example of a rating table that can be utilised to categorise the various 
levels of residual risk. Institutions are encouraged to customise the rating table to their 
specific requirements. 


Risk rating 


Residual risk 
magnitude 


Response 



8-14 

Medium 

Unacceptable level of residual risk - Implies that the 
controls are either inadequate (poor design) or 
ineffective (poor implementation). 

Controls require some redesign, or a more emphasis 
proper implementation. 

1 -7 

Low 

Mostly acceptable level of residual risk - Requires 
minimal control improvements. 
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10. RISK RESPONSE 

a) Management shall select appropriate actions to align risks with risk tolerance and 
risk appetite 

b) The risk responses chosen shall be realistic, taking into account the costs of 
responding as well as the impact on risk. 


Types of responses 


Strategy 

Brief Description 

Accept the risk 

Taking a chance that the risk may or may not occur/happen 

Avoid the risk 

Changing your plans in order to prevent the risk from arising 

Mitigate the risk 

Reducing/lessening the impact/seriousness of the risk and probability 

Transfer the risk 

Transferring the risk to a capable party that can manage the outcome 


11. RISK ARCHITECTURE 

Risk governance focuses on applying the principles of sound corporate governance to the 
assessment and management of risks to ensure that risk taking activities are aligned with 
an institution’s capacity to absorb losses and its long-term viability. 


Council 

Provides policy, oversight and review of risk management 

Audit and Risk 
Committee 

Overseas regular review of risk management activities 

Accounting Officer 

Drives culture of risk management 

Risk Manager 

Continuously improving risk management policy, strategy 
and supporting framework 

Managers 

Ensure staff in their business units comply with the 

risk management policy and foster a culture where risks can 

be identified and escalated 

Staff and Contractors 

Comply with risk management policies and procedures 
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Roles and responsibilities 
Council 

a) The council shall ensure that strategic objectives are supported by a sound risk 
strategy and an effective risk management framework that is appropriate to the 
nature, scale and complexity of its activities. 

b) The council shall approve the overall risk strategy, including the risk appetite and 
oversee its implementation. 

c) The council shall take appropriate steps to ensure that strategic and operational 
decisions are aligned with the risk appetite set by the council. 

d) Review management’s implementation of risk strategy and obtaining assurance 
that organizational units are operating within the parameters of the institution’s 
appetite for specific types of risk. 

Senior management oversight 

a) Senior management is responsible for ensuring that the day-to-day management of 
the municipal activities are consistent with the risk strategy, including the risk 
appetite, and policies approved by the council 

b) When new business strategies or activities are being pursued, senior management 
shall ensure that all key risks associated with the activities have been identified and 
assessed to determine whether these risks are within the municipal risk appetite. 

Audit Committee 

The committee shall ensure that the municipality has an effective risk framework, policy 
and a plan for risk management in order to assist in achieving its strategic goals and that 
the disclosure and reporting of risk is complete, timely and relevant. The committee is an 
integral component of the risk management governance process, and specifically the 
committee shall oversee: 

a) Financial reporting risks 

b) Compliance risks 

c) Fraud risks as it relates to financial reporting 

d) IT risks as it relates to financial reporting 

Internal Audit 

a) Reviewing the management of key risks 

b) Evaluating the reporting of key risks 

c) Evaluating and giving assurance on risk management processes 
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d) Giving assurance that risks are correctly evaluated 

Risk Management Committee 

a) Review the risk management policy, enterprise risk register, top ten strategic 
risks, risk management strategy as well as the annual risk management 
implementation plan, and submit recommendation to the Accounting officer 

b) Review the risk appetite and tolerance levels and make recommendations to the 
Accounting Officer 

c) Review the institutions risk identification and assessment methodologies to 
obtain reasonable assurance of the completeness and accuracy of the risk 
register 

d) Evaluate the effectiveness of mitigating strategies to address the material risks 
of the institution 

e) Report to the Accounting Officer any material changes to the risk profile of the 
institution 

f) Review the fraud prevention policy and make recommendations for 
consideration by the Accounting Officer 

g) Evaluate the effectiveness of the implementation of the fraud prevention policy 

h) Review any material findings and recommendations by assurance providers on 
the system of risk management and monitor that appropriate action is instated to 
address the identified weaknesses 

i) Develop goals, objectives and key performance indicators to measure the 
effectiveness of the risk management activity 

j) Provide proper and timely reports to the Accounting Officer on the state of risk 
management, together with aspects requiring improvement accompanied by the 
Committee’s recommendations to address such issues 

k) The risk committee shall be chaired by an independent person and shall 
be made up as follows: 

• Chairperson-Independent person 

• Accounting Officer 

• All Directors 

• Chief Audit Executive 

• ICT Manager 

• PMS Manager 

• Risk Management Officer 
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12. Risk protocols 

a) Council and senior management shall be equipped with timely, complete, 
meaningful and accurate risk information to enable them to make informed 

b) Risk committee shall establish the frequency, content and form of risk reports to 
be submitted to the board so as to ensure the risk reports facilitate 
understanding and the determination of appropriate risk responses. 

c) Information provided to the council and senior management shall present an 
accurate, complete and “unfiltered” (i.e. does not suppress negative information) 
view of material risks in a way that supports informed decisions. 

13. Conclusion 

This policy shall be reviewed annually by Risk Committee and management and 
changes approved by the council. 
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